This article provides a comprehensive guide on setting up Azure AD Federation using OpenID Connect. It outlines the steps required to create and configure an App registration in Azure AD for federation with Questback.

Create App Registration

The first step in setting up Azure AD Federation is to create an App registration in Azure AD.

Step 1: Create the App Registration

Navigate to the “App Registrations” tab in Azure AD and create a new registration for your application.

Configure Supported Account Types

After creating the App registration, you need to configure the supported account types.

Step 2: Set Account Type

Configure the Supported Account types to “Only Account from this AD” (single tenant).

For more information on multi-tenant applications, refer to the Azure AD documentation.

Add Redirect URI

Adding a redirect URI is crucial for the authentication flow.

Step 3: Add the Redirect URI

Add the following redirect URI to the App Registration:

https://access.questback.com/oauth2/v1/authorize/callback

For Production environments, use the same URI: https://access.questback.com/oauth2/v1/authorize/callback

Add Permissions

Proper permissions need to be set for the App Registration to function correctly.

Step 4: Add UserRead Permission

Add the “UserRead” permission to the App Registration. The value should be:

https://graph.microsoft.com/User.Read

Add Optional Claims

Optional claims need to be added to the manifest of the created App Registration.

Step 5: Add Claims to Manifest

Add the following optional claims to the manifest of the App Registration:

"optionalClaims": {
    "idToken": [
        {
            "name": "family_name",
            "essential": true
        },
        {
            "name": "given_name",
            "essential": true
        }
    ]
},
"accessToken": [],
"saml2Token": []

Create Secret

A secret is required for secure communication between your application and Azure AD.

Step 6: Create and Store Secret

Create a secret for the App Registration and make sure to store it securely. You will need this secret for configuring your application.

Step 7: Note Client ID

Remember to note down the client ID of the App Registration, as you will need it for configuration purposes.

FAQ

What is the preferred federation method for Azure AD?

The preferred federation method for Azure AD is OpenID Connect. While SAML might be possible, it is not the recommended configuration.

Why do we need to add optional claims to the manifest?

Optional claims, specifically the family_name and given_name, are added to ensure that these user details are included in the token sent by Azure AD. This information is often necessary for user identification and personalization within the application.